Join our upcoming webinar, “Operationalizing and Optimizing Your CTI Program," with industry experts on Thursday, September 26, 2024, from 17:00 to 18:00 CET. Register now! close
22 Apr 2021

Introducing Bing News Transforms to Query Bing News Articles in Maltego

Maltego Team

Be it researching a malware attack, conducting due diligence, or investigating disinformation campaigns, news articles can be helpful references for all types of investigations. A quick search in the browser allows us to gather background context, gain a more comprehensive understanding, and check previous reports about the topic in question.

But, what if instead of flipping through dozens of articles in separate browser tabs, we could add these news articles as data points directly into ongoing investigations and furthermore, pivot from them?

With Maltego, this is no longer a hypothetical: We are excited to release the Bing News data integration in Maltego to make news article content queryable in a visualized graph!

Maltego’s Bing News Transforms 🔗︎

Integrated with the Bing News Search API, the News Transforms allow investigators to search the web for news articles and find context relevant to the persons, companies, locations, threats, and other topics involved in an investigation.

While the News Transforms Hub item is free to use for both community and commercial users, they’re allotted different weekly quotas: CE users have a limit of 30 Transform Runs, Pro users are granted 250 Transform Runs, and Maltego Enterprise customers have a quota of 1000 Transform Runs per week.

Alternatively, users can also choose to use their own Bing API key via the Transform settings to remove the Transform limit.

Using News Transforms 🔗︎

The News Transforms can be run on various Entity types—Person, Company, Location, Organization, Phrase, and more—as starting points. Investigators can also use the Transforms on Entities from other Hub items as long as the Entities have inherited properties from the default Maltego Entities.

Entry point for News Transforms

The News Transforms can complete two types of queries:

  • Searching news articles related to an input
  • Searching news articles of the exact input

The first returns search results that are broadly relevant to the input search phrases. The second only returns results that exactly match the search terms, which is equivalent to using quote parameters or Dorking techniques in a search engine.

Transform input window

Before running a News Transform, users can also specify or limit the search results to a certain domain, time frame, country, or language in the pop-up Transform input window.

Note: When the number of results fitting the configuration is lower than the number of results the Transform slider is set at the query will also return additional search results that do not match the configuration.

Let’s look at an example.

We ran the To News Articles [Maltego News] Transform on the “Evergreen Marine” Phrase Entity, using the default country (US) and language (English) settings. The Transform returned 142 News Article Entities, most of which are about the recent blockage of the Suez Canal caused by the container ship, Vessel Ever Given.

Querying news related to Evergreen Marine

Selecting one of the News Article Entities, we can see the picture thumbnail, title, summary, and source of the article in the Detail View to the right. Clicking on the hyperlinked source will take us to the website where the news article is published.

What’s notable about the News Article Entity is that it inherits the configurations of the Maltego URL Entity. This means that one can run any Transform that works with an URL Entity on the News Article Entity.

For instance, we can select the resulting News Article Entities and run the To Entities [IBM Watson] and To Website [Convert] Transforms from the Maltego Standard Transforms Hub item to extract text elements from the article content and retrieve the correlating Website Entity.

Running Maltego Standard Transforms on News Article Entities

Using the Website Entity derived from the News Article Entity, we will then be able to obtain infrastructure data, historic snapshots of the websites, phone numbers and email addresses found on the websites, and a lot more information. From the Company and Person Entities, we can pivot into OpenCorporates, OCCRP Aleph, or even Pipl and the Orbis database to retrieve information of relevant stakeholders, their relationships, and their backgrounds.

This is especially useful in cases of investigating misinformation and disinformation campaigns. Once investigators and researchers spot traits of disinformation, they can quickly query for similar news content, identify the websites and actors circulating them, and potentially map the whole campaign network.

Acquiring Complementary Context in Various Investigations 🔗︎

In other types of investigations, the News Transforms help investigators gain understanding of the latest happenings and news related to the targets and identify potentially relevant pivots.

Use Case 1: Company Investigations 🔗︎

We want to investigate the management of the German company, Steinhoff Eta GmbH. Using the OpenCorporates Hub item, we first ran the Search Companies Transform on a Phrase Entity called “Steinhoff.”

The Transform returned a number of Company Entities broadly matching the search input. We identified the three most accurate Company Entities and ran the To Officers Transform to obtain the names of the management personnel.

Use Case 1: Company Investigations

On these Officer Entities, we ran the To News Article related to Person [Maltego News] Transform to search news articles they have been involved in. Skimming through the News Article Entities, we quickly discovered that multiple officers from the companies have been involved in multiple settlement cases.

Finally, we ran the To Entities [IBM Watson] Transform to extract the key content of the news articles we are interested in.

Using News Transforms to enrich context in company investigations

Use Case 2: Network Investigations 🔗︎

In this case, we want to find out whether there is any connection between multiple websites publishing far-right views in the US:

  • www[.]qagg[.]news
  • www[.]8kun[.]net
  • theystoleyourvote[.]com
  • qanonbin[.]com
  • beta[.]qagg[.]news

We start by inputting them as Website Entities onto the graph and running the To IP [DNS] Transform from the Maltego Standard Transforms Hub item. The Transform returned three IP addresses, on which we run the To Details (Location, DNS, ASN, Company) [IPQS] Transform.

We found out from the Transform result that all three IP addresses belong to the same AS number which is associated with the organization, “Vanwatech.”

Use Case 2: Network Investigations

To find out more about this organization, we ran the To News Articles with Exact Company [Maltego News] Transform. One article titled “A 23-Year-Old Code Kept QAnon Online When No One Else Would” immediately caught our attention, so we bookmarked it in green.

On the News Article Entities, we ran the To Entities [IBM Watson] Transform again.

Using News Transforms to enrich context in network investigations

From the results of the News Transforms and the To Entities [IBM Watson] Transform, we see that Nik Lim, the founder and CEO of Vanwatech, has recently been featured in a Bloomberg article for hosting politically questionable content using his company.

Start Using the Maltego News Transforms to Enrich Your Investigations’ Context! 🔗︎

Simple and straightforward, the News Transforms enable investigators, journalists and researchers to quickly gather time-sensitive news and background context to complement all sorts of investigations.

We hope you enjoy our walkthrough of the Bing News data integration! Don’t forget to follow us on Twitter and LinkedIn and subscribe to our email newsletter to stay updated on new tutorials, use cases, and data integration releases!

Happy investigating!

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.